How hunt operations can strengthen your security posture

By Joseph Williams

Aug 10, 2017

There’s no question that federal agencies have expanding options today for sophisticated threat analytics, automated tools and security solutions to protect the growing complexity of their IT environments. However, it’s equally true that as the attack surface grows and malicious threat actors remain both creative and agile, threats will abound if not escalate.

The simple fact is, threats are launched by active, thinking, human attackers who continually adjust their vectors around the automated detection and mitigation methods we develop. A solid argument can be made that a strong proactive posture should include an equally agile, highly skilled team of security analysts that can ‘hunt’ through the IT environment looking for the telltale signs these attackers inevitably leave behind.

Hunt operations and compromise assessments are designed to do just that. For many security-conscious agencies and enterprises, they are becoming a regular part of proactive security program. Hunt operations can provide needed additional visibility to current risks that an agency’s security operations center (SOC) may not have.

The hunt is on: What is threat hunting?

Threat hunting is a search for evidence of an attacker in the network, even in the absence of an alert or indicator that an attacker has breached the network. Hunters approach their task with the mindset that the attackers are already in, and they must find the evidence to prove that hypothesis.

To confirm the hypothesis, hunters begin with an iterative scan of the network looking for indicators of compromise too abstract for vendor tools alone to pick up. The analysts also take input from vendor tools, in-house tools and attacker trends, then synthesize the data into a more in-depth assessment of the network. This move beyond accepting the output of a tool as gospel allows organizations to reintegrate the human element into the defensive process and achieve a more holistic picture of the organizational security posture.

While our adversaries use tools, they do not rely on them. When a virus family is discovered and the indicators are loaded into antivirus programs in their target, the attackers pivot to new tactics and new software. Our defenders should have that flexibility while choosing which computer artifacts to scan in the pursuit of new adversary tactics. Threat hunting is the model that allows SOCs to grow that flexibility. With the SOC constantly growing its number of sources for detecting compromise, the time between compromise and detection can be lowered significantly through Hunt Operations.

Building a practice around good people and equipping them with the information, access and tools necessary to effectively pursue compromise assessments gives an organization a proactive defensive unit working on their side. When a threat-hunting team engages a network over a long period of time, the team members build up familiarity with the network and the associated vulnerabilities. When combined with automation, this allows their investigations to evolve with new threats and ideas into a proactive defensive force.

Hunt operations methodology

Threat hunters don’t approach a compromise assessment planning to scan everything in the network; the data influx would overwhelm any team. Instead, each assessment covers a specific area with a specific attacker tactic in mind. The team first researches attacker trends to determine what those in the network may be doing. If attacker trends show network file shares are used to pivot from one host to another, then this assessment will look at file shares and determine if they have been used by unauthorized hosts or users. In doing this assessment, the team develops tools and methodologies for checking this aspect of the network. Once network file shares are scanned and assessed, the team documents the tools and methodologies and moves on to the next assessment.

Looking for everything each time a compromise assessment is run can overwhelm the team with data and tasks

After months of performing these assessments, there will be more areas to search and monitor than a team can feasibly perform. The next phase for a threat-hunting team is to begin the automation of past queries. Efforts are typically divided between developing new assessments to conduct and automating past assessments to simplify monitoring. Automation can be as simple as loading custom signatures into an intrusion detection system (IDS) or as complicated as building a custom script for queries. The team must decide what is appropriate to automate and how to enable monitoring to occur concurrently with assessing.

Making a big impact with small steps

Assessing threat hunting over the long term brings greater rewards than intensive short-term assessments. As the team conducts assessments and builds a body of work, the picture of the network and the vulnerabilities the organization is confronting becomes clearer. Vendor tools such as IDS and antivirus give insight into wide swathes of the network; a hunt team illuminates the areas that IDS and antivirus cannot see. Attackers know that the network will have IDS and antivirus, so they create exploits that do not trigger the tools. The hunt team focuses on flexible searches that looks for the attackers in those blind spots.

Use the results to feed SOC operations

The blind spots, once discovered, will be reported to the SOC and integrated into incident response plans. These integrations help incident response times and help the SOC stay in the loop as much as possible about the attack space on the network. When the SOC changes security procedures or equipment, they will notify the hunt team. The hunt team can perform assessments to see what security impacts the changes make and provide this information to the SOC for feedback. This feedback is not limited to changes; feedback about network configuration vulnerabilities and access control list misconfiguration, for example, can be sent to the SOC to help harden the network.

Seek, find, secure: Hunt operations a secure step for agencies

All organizations would welcome an ironclad cybersecurity ‘panacea.’ However, in the absence of that unobtainable utopia, hunt operations are a solid layer of additional protection for agencies to consider as a complement to the tools, processes, and policies they have in place. Hunt teams are a very proactive approach to finding the risks that may be in the network already and address them before those risks become the next major incident. It is conceivable that having a hunt operations capability could have changed or mitigated the results of the larger data breaches that affected the Office of Personnel Management, USIS and other government contractors.

For those agencies that have the in-house skill set to deploy their own hunt team, ongoing hunt operations can be an integral part of a proactive security program. For those that do not have the skillset in house, partnering with a skilled provider on a quarterly basis to target specific components within the enterprise environment can pay dividends in terms of peace of mind and greater overall security.